The groups feature allows account admins to restrict access to asset types by group.
When an asset type is restricted, members of that group can no longer search, view, create, edit, or delete those assets on a global basis. The Organization sidebar will also no longer have a link to view assets of that type.
For step-by-step instructions on how to set these permissions, see the Groups article.
How these permissions interrelate with other permissions
First, some definitions to keep in mind:
- Asset types are the different categories of assets in IT Glue: configurations, passwords, documents, contacts, etc. For every group, there is a set of permissions that restrict access to asset types across all organizations. Only Administrators can set these permissions.
- Assets are the individual "objects", such as a Windows server, a domain admin password, or a document on how to configure a Cisco router VPN. For every asset, there is a set of permissions that allow access to that asset. Anyone with editing privileges can set these permissions.
When a user searches or browses for assets, IT Glue checks their permissions and displays only the assets and asset types that the user is allowed to see.
Denied permissions will always take precedence over allowed permissions. This means that an explicit allow permission at the asset-level will never take precedence over a group-inherited deny permission.
Because IT Glue blocks access to entire areas based on denied asset types, this prevents anyone from inadvertently sharing sensitive information with users who should not have access. While this gives you greater control over data access by asset type, it also means your team cannot make exceptions to share individual assets on a case-by-case basis.
Layers of permissions
When a user is a member of multiple groups, and the asset type restrictions within these groups conflict, the most restrictive setting will be used. This means you can create layers of permissions based on groups of users.
Tech Team – You’ve hired your first intern, Craig, and added him to the "Tech" group. This group gives Craig permissions to view and edit sensitive financial information, which you don't want. In this scenario, you could create an "Interns" group for the purpose of blocking Craig's access to the sensitive information contained in some asset types.
Clients/Contractors – You’ve signed with a new client “Happy Frog” and you want the CEO John to have read-only access to the types of information that clients often request. In this scenario, you could grant John access to Happy Frog (with a Lite role) and then add him to a "Clients" group that makes only a limited set of asset types visible to John and other clients.